This project is made to help SOC MSSP teams that use QRadar with multiple clients to collecte and centralize monitoring statistics from all QRadar deployments.
PUT _template/<YOUR_TEMPLATE_NAME>
. In this repository we provide an index template that you can in your Elastic Stack- Populate the YAML files in /etc/logstash with the appropriate data to your context. We Provide samples in this project:
- timezone.yml: Contains dictionary of client name and their correspondant timezones.
- clientnames.yml : Contains a dictionary of input configuration tags and their correspondant client names
- Copy conf.d configuration in your Logstash conf.d folder and customize to your needs.
- Create a
/home/USER/Offenses/
folder to save the extracted search data from QRadar in CSV. - Create the following scripted fields in Kibana
Name | Lang | Script | Format |
---|---|---|---|
offense.day_of_week | painless | doc['@timestamp'].value.dayOfWeekEnum |
String |
offense.hour_of_day | painless | doc['@timestamp'].value.hourOfDay |
Number |
- Busiest Days
- Busiest Hours
- Offenses average by day of week
- Adding more AQL queries and searches
- Automating the collectiong process
- Moving from CSV -> JSON data format